2015-05-12 00:43:54 +02:00
|
|
|
package middleware
|
|
|
|
|
|
|
|
import (
|
|
|
|
"net/http"
|
2016-09-23 07:53:44 +02:00
|
|
|
"net/http/httptest"
|
2020-12-01 08:51:20 +02:00
|
|
|
"net/url"
|
|
|
|
"strings"
|
2015-05-12 00:43:54 +02:00
|
|
|
"testing"
|
2015-05-18 07:54:29 +02:00
|
|
|
|
2016-04-25 19:58:11 +02:00
|
|
|
"github.com/dgrijalva/jwt-go"
|
2019-01-30 12:56:56 +02:00
|
|
|
"github.com/labstack/echo/v4"
|
2015-05-30 19:54:55 +02:00
|
|
|
"github.com/stretchr/testify/assert"
|
2015-05-12 00:43:54 +02:00
|
|
|
)
|
|
|
|
|
2016-08-20 18:12:17 +02:00
|
|
|
// jwtCustomInfo defines some custom types we're going to use within our tokens.
|
|
|
|
type jwtCustomInfo struct {
|
2016-08-20 17:59:36 +02:00
|
|
|
Name string `json:"name"`
|
|
|
|
Admin bool `json:"admin"`
|
|
|
|
}
|
|
|
|
|
2016-08-20 18:12:17 +02:00
|
|
|
// jwtCustomClaims are custom claims expanding default ones.
|
|
|
|
type jwtCustomClaims struct {
|
2016-08-20 17:59:36 +02:00
|
|
|
*jwt.StandardClaims
|
2016-08-20 18:12:17 +02:00
|
|
|
jwtCustomInfo
|
2016-08-20 17:59:36 +02:00
|
|
|
}
|
|
|
|
|
2017-07-14 20:55:19 +02:00
|
|
|
func TestJWTRace(t *testing.T) {
|
|
|
|
e := echo.New()
|
|
|
|
handler := func(c echo.Context) error {
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
}
|
|
|
|
initialToken := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ"
|
|
|
|
raceToken := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlJhY2UgQ29uZGl0aW9uIiwiYWRtaW4iOmZhbHNlfQ.Xzkx9mcgGqYMTkuxSCbJ67lsDyk5J2aB7hu65cEE-Ss"
|
|
|
|
validKey := []byte("secret")
|
|
|
|
|
|
|
|
h := JWTWithConfig(JWTConfig{
|
|
|
|
Claims: &jwtCustomClaims{},
|
|
|
|
SigningKey: validKey,
|
|
|
|
})(handler)
|
|
|
|
|
|
|
|
makeReq := func(token string) echo.Context {
|
2018-10-14 17:16:58 +02:00
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
2017-07-14 20:55:19 +02:00
|
|
|
res := httptest.NewRecorder()
|
|
|
|
req.Header.Set(echo.HeaderAuthorization, DefaultJWTConfig.AuthScheme+" "+token)
|
|
|
|
c := e.NewContext(req, res)
|
|
|
|
assert.NoError(t, h(c))
|
|
|
|
return c
|
|
|
|
}
|
|
|
|
|
|
|
|
c := makeReq(initialToken)
|
|
|
|
user := c.Get("user").(*jwt.Token)
|
|
|
|
claims := user.Claims.(*jwtCustomClaims)
|
|
|
|
assert.Equal(t, claims.Name, "John Doe")
|
|
|
|
|
|
|
|
makeReq(raceToken)
|
|
|
|
user = c.Get("user").(*jwt.Token)
|
|
|
|
claims = user.Claims.(*jwtCustomClaims)
|
|
|
|
// Initial context should still be "John Doe", not "Race Condition"
|
|
|
|
assert.Equal(t, claims.Name, "John Doe")
|
|
|
|
assert.Equal(t, claims.Admin, true)
|
|
|
|
}
|
|
|
|
|
2016-05-07 16:45:03 +02:00
|
|
|
func TestJWT(t *testing.T) {
|
2016-04-25 19:58:11 +02:00
|
|
|
e := echo.New()
|
|
|
|
handler := func(c echo.Context) error {
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
}
|
|
|
|
token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ"
|
2016-07-02 00:07:40 +02:00
|
|
|
validKey := []byte("secret")
|
|
|
|
invalidKey := []byte("invalid-key")
|
2016-12-19 21:37:43 +02:00
|
|
|
validAuth := DefaultJWTConfig.AuthScheme + " " + token
|
2016-04-25 19:58:11 +02:00
|
|
|
|
2016-07-02 00:07:40 +02:00
|
|
|
for _, tc := range []struct {
|
|
|
|
expPanic bool
|
|
|
|
expErrCode int // 0 for Success
|
|
|
|
config JWTConfig
|
|
|
|
reqURL string // "/" if empty
|
|
|
|
hdrAuth string
|
2016-07-02 11:26:05 +02:00
|
|
|
hdrCookie string // test.Request doesn't provide SetCookie(); use name=val
|
2020-12-01 08:51:20 +02:00
|
|
|
formValues map[string]string
|
2016-07-02 00:07:40 +02:00
|
|
|
info string
|
|
|
|
}{
|
2016-08-27 22:03:40 +02:00
|
|
|
{
|
|
|
|
expPanic: true,
|
|
|
|
info: "No signing key provided",
|
|
|
|
},
|
2016-07-02 00:07:40 +02:00
|
|
|
{
|
|
|
|
expErrCode: http.StatusBadRequest,
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
SigningMethod: "RS256",
|
|
|
|
},
|
|
|
|
info: "Unexpected signing method",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
expErrCode: http.StatusUnauthorized,
|
|
|
|
hdrAuth: validAuth,
|
|
|
|
config: JWTConfig{SigningKey: invalidKey},
|
|
|
|
info: "Invalid key",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
hdrAuth: validAuth,
|
|
|
|
config: JWTConfig{SigningKey: validKey},
|
|
|
|
info: "Valid JWT",
|
|
|
|
},
|
2016-12-18 12:38:46 +02:00
|
|
|
{
|
|
|
|
hdrAuth: "Token" + " " + token,
|
|
|
|
config: JWTConfig{AuthScheme: "Token", SigningKey: validKey},
|
|
|
|
info: "Valid JWT with custom AuthScheme",
|
|
|
|
},
|
2016-08-27 19:52:35 +02:00
|
|
|
{
|
|
|
|
hdrAuth: validAuth,
|
|
|
|
config: JWTConfig{
|
|
|
|
Claims: &jwtCustomClaims{},
|
|
|
|
SigningKey: []byte("secret"),
|
|
|
|
},
|
|
|
|
info: "Valid JWT with custom claims",
|
|
|
|
},
|
2016-07-02 00:07:40 +02:00
|
|
|
{
|
|
|
|
hdrAuth: "invalid-auth",
|
|
|
|
expErrCode: http.StatusBadRequest,
|
|
|
|
config: JWTConfig{SigningKey: validKey},
|
|
|
|
info: "Invalid Authorization header",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
config: JWTConfig{SigningKey: validKey},
|
|
|
|
expErrCode: http.StatusBadRequest,
|
|
|
|
info: "Empty header auth field",
|
|
|
|
},
|
2016-07-02 00:27:48 +02:00
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "query:jwt",
|
|
|
|
},
|
|
|
|
reqURL: "/?a=b&jwt=" + token,
|
|
|
|
info: "Valid query method",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "query:jwt",
|
|
|
|
},
|
|
|
|
reqURL: "/?a=b&jwtxyz=" + token,
|
|
|
|
expErrCode: http.StatusBadRequest,
|
|
|
|
info: "Invalid query param name",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "query:jwt",
|
|
|
|
},
|
|
|
|
reqURL: "/?a=b&jwt=invalid-token",
|
|
|
|
expErrCode: http.StatusUnauthorized,
|
|
|
|
info: "Invalid query param value",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "query:jwt",
|
|
|
|
},
|
|
|
|
reqURL: "/?a=b",
|
|
|
|
expErrCode: http.StatusBadRequest,
|
|
|
|
info: "Empty query",
|
|
|
|
},
|
2019-06-09 18:49:52 +02:00
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "param:jwt",
|
|
|
|
},
|
|
|
|
reqURL: "/" + token,
|
|
|
|
info: "Valid param method",
|
|
|
|
},
|
2016-07-02 11:26:05 +02:00
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "cookie:jwt",
|
|
|
|
},
|
|
|
|
hdrCookie: "jwt=" + token,
|
|
|
|
info: "Valid cookie method",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "cookie:jwt",
|
|
|
|
},
|
|
|
|
expErrCode: http.StatusUnauthorized,
|
|
|
|
hdrCookie: "jwt=invalid",
|
|
|
|
info: "Invalid token with cookie method",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "cookie:jwt",
|
|
|
|
},
|
|
|
|
expErrCode: http.StatusBadRequest,
|
|
|
|
info: "Empty cookie",
|
|
|
|
},
|
2020-12-01 08:51:20 +02:00
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "form:jwt",
|
|
|
|
},
|
|
|
|
formValues: map[string]string{"jwt": token},
|
|
|
|
info: "Valid form method",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "form:jwt",
|
|
|
|
},
|
|
|
|
expErrCode: http.StatusUnauthorized,
|
|
|
|
formValues: map[string]string{"jwt": "invalid"},
|
|
|
|
info: "Invalid token with form method",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
config: JWTConfig{
|
|
|
|
SigningKey: validKey,
|
|
|
|
TokenLookup: "form:jwt",
|
|
|
|
},
|
|
|
|
expErrCode: http.StatusBadRequest,
|
|
|
|
info: "Empty form field",
|
|
|
|
},
|
2016-07-02 00:07:40 +02:00
|
|
|
} {
|
|
|
|
if tc.reqURL == "" {
|
|
|
|
tc.reqURL = "/"
|
|
|
|
}
|
2016-04-25 19:58:11 +02:00
|
|
|
|
2020-12-01 08:51:20 +02:00
|
|
|
var req *http.Request
|
|
|
|
if len(tc.formValues) > 0 {
|
|
|
|
form := url.Values{}
|
|
|
|
for k, v := range tc.formValues {
|
|
|
|
form.Set(k, v)
|
|
|
|
}
|
|
|
|
req = httptest.NewRequest(http.MethodPost, tc.reqURL, strings.NewReader(form.Encode()))
|
|
|
|
req.Header.Set(echo.HeaderContentType, "application/x-www-form-urlencoded")
|
|
|
|
req.ParseForm()
|
|
|
|
} else {
|
|
|
|
req = httptest.NewRequest(http.MethodGet, tc.reqURL, nil)
|
|
|
|
}
|
2016-09-23 07:53:44 +02:00
|
|
|
res := httptest.NewRecorder()
|
|
|
|
req.Header.Set(echo.HeaderAuthorization, tc.hdrAuth)
|
|
|
|
req.Header.Set(echo.HeaderCookie, tc.hdrCookie)
|
2016-07-02 00:07:40 +02:00
|
|
|
c := e.NewContext(req, res)
|
2016-04-25 19:58:11 +02:00
|
|
|
|
2020-01-25 19:48:53 +02:00
|
|
|
if tc.reqURL == "/"+token {
|
2019-06-09 18:49:52 +02:00
|
|
|
c.SetParamNames("jwt")
|
|
|
|
c.SetParamValues(token)
|
|
|
|
}
|
|
|
|
|
2016-07-02 00:07:40 +02:00
|
|
|
if tc.expPanic {
|
|
|
|
assert.Panics(t, func() {
|
|
|
|
JWTWithConfig(tc.config)
|
|
|
|
}, tc.info)
|
|
|
|
continue
|
|
|
|
}
|
2016-04-25 19:58:11 +02:00
|
|
|
|
2016-07-02 00:07:40 +02:00
|
|
|
if tc.expErrCode != 0 {
|
|
|
|
h := JWTWithConfig(tc.config)(handler)
|
|
|
|
he := h(c).(*echo.HTTPError)
|
|
|
|
assert.Equal(t, tc.expErrCode, he.Code, tc.info)
|
|
|
|
continue
|
|
|
|
}
|
2016-08-20 17:59:36 +02:00
|
|
|
|
2016-07-02 00:07:40 +02:00
|
|
|
h := JWTWithConfig(tc.config)(handler)
|
|
|
|
if assert.NoError(t, h(c), tc.info) {
|
|
|
|
user := c.Get("user").(*jwt.Token)
|
2016-08-27 19:52:35 +02:00
|
|
|
switch claims := user.Claims.(type) {
|
|
|
|
case jwt.MapClaims:
|
|
|
|
assert.Equal(t, claims["name"], "John Doe", tc.info)
|
|
|
|
case *jwtCustomClaims:
|
2016-08-27 22:03:40 +02:00
|
|
|
assert.Equal(t, claims.Name, "John Doe", tc.info)
|
|
|
|
assert.Equal(t, claims.Admin, true, tc.info)
|
2016-08-27 19:52:35 +02:00
|
|
|
default:
|
|
|
|
panic("unexpected type of claims")
|
|
|
|
}
|
2016-07-02 00:07:40 +02:00
|
|
|
}
|
|
|
|
}
|
2015-05-12 00:43:54 +02:00
|
|
|
}
|
2019-05-17 16:45:49 +02:00
|
|
|
|
|
|
|
func TestJWTwithKID(t *testing.T) {
|
|
|
|
test := assert.New(t)
|
|
|
|
|
|
|
|
e := echo.New()
|
|
|
|
handler := func(c echo.Context) error {
|
|
|
|
return c.String(http.StatusOK, "test")
|
|
|
|
}
|
|
|
|
firstToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6ImZpcnN0T25lIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.w5VGpHOe0jlNgf7jMVLHzIYH_XULmpUlreJnilwSkWk"
|
|
|
|
secondToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6InNlY29uZE9uZSJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.sdghDYQ85jdh0hgQ6bKbMguLI_NSPYWjkhVJkee-yZM"
|
|
|
|
wrongToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiIsImtpZCI6InNlY29uZE9uZSJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.RyhLybtVLpoewF6nz9YN79oXo32kAtgUxp8FNwTkb90"
|
|
|
|
staticToken := "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.1_-XFYUPpJfgsaGwYhgZEt7hfySMg-a3GN-nfZmbW7o"
|
|
|
|
validKeys := map[string]interface{}{"firstOne": []byte("first_secret"), "secondOne": []byte("second_secret")}
|
|
|
|
invalidKeys := map[string]interface{}{"thirdOne": []byte("third_secret")}
|
|
|
|
staticSecret := []byte("static_secret")
|
|
|
|
invalidStaticSecret := []byte("invalid_secret")
|
|
|
|
|
|
|
|
for _, tc := range []struct {
|
|
|
|
expErrCode int // 0 for Success
|
|
|
|
config JWTConfig
|
|
|
|
hdrAuth string
|
|
|
|
info string
|
|
|
|
}{
|
|
|
|
{
|
|
|
|
hdrAuth: DefaultJWTConfig.AuthScheme + " " + firstToken,
|
|
|
|
config: JWTConfig{SigningKeys: validKeys},
|
|
|
|
info: "First token valid",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
hdrAuth: DefaultJWTConfig.AuthScheme + " " + secondToken,
|
|
|
|
config: JWTConfig{SigningKeys: validKeys},
|
|
|
|
info: "Second token valid",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
expErrCode: http.StatusUnauthorized,
|
|
|
|
hdrAuth: DefaultJWTConfig.AuthScheme + " " + wrongToken,
|
|
|
|
config: JWTConfig{SigningKeys: validKeys},
|
|
|
|
info: "Wrong key id token",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
hdrAuth: DefaultJWTConfig.AuthScheme + " " + staticToken,
|
|
|
|
config: JWTConfig{SigningKey: staticSecret},
|
|
|
|
info: "Valid static secret token",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
expErrCode: http.StatusUnauthorized,
|
|
|
|
hdrAuth: DefaultJWTConfig.AuthScheme + " " + staticToken,
|
|
|
|
config: JWTConfig{SigningKey: invalidStaticSecret},
|
|
|
|
info: "Invalid static secret",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
expErrCode: http.StatusUnauthorized,
|
|
|
|
hdrAuth: DefaultJWTConfig.AuthScheme + " " + firstToken,
|
|
|
|
config: JWTConfig{SigningKeys: invalidKeys},
|
|
|
|
info: "Invalid keys first token",
|
|
|
|
},
|
|
|
|
{
|
|
|
|
expErrCode: http.StatusUnauthorized,
|
|
|
|
hdrAuth: DefaultJWTConfig.AuthScheme + " " + secondToken,
|
|
|
|
config: JWTConfig{SigningKeys: invalidKeys},
|
|
|
|
info: "Invalid keys second token",
|
|
|
|
},
|
|
|
|
} {
|
|
|
|
req := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
|
|
res := httptest.NewRecorder()
|
|
|
|
req.Header.Set(echo.HeaderAuthorization, tc.hdrAuth)
|
|
|
|
c := e.NewContext(req, res)
|
|
|
|
|
|
|
|
if tc.expErrCode != 0 {
|
|
|
|
h := JWTWithConfig(tc.config)(handler)
|
|
|
|
he := h(c).(*echo.HTTPError)
|
|
|
|
test.Equal(tc.expErrCode, he.Code, tc.info)
|
|
|
|
continue
|
|
|
|
}
|
|
|
|
|
|
|
|
h := JWTWithConfig(tc.config)(handler)
|
|
|
|
if test.NoError(h(c), tc.info) {
|
|
|
|
user := c.Get("user").(*jwt.Token)
|
|
|
|
switch claims := user.Claims.(type) {
|
|
|
|
case jwt.MapClaims:
|
|
|
|
test.Equal(claims["name"], "John Doe", tc.info)
|
|
|
|
case *jwtCustomClaims:
|
|
|
|
test.Equal(claims.Name, "John Doe", tc.info)
|
|
|
|
test.Equal(claims.Admin, true, tc.info)
|
|
|
|
default:
|
|
|
|
panic("unexpected type of claims")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|